Information Blocking Compliance: What do Healthcare Providers Need to Know?

On March 9, 2020, two rules were finalized and issued. The Office of the National Coordinator for Health Information Technology (ONC) issued the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, and the Centers for Medicare & Medicaid Services (CMS) issued the Interoperability and Patient Access Rule.

Are you considered a Healthcare Provider under the Information Blocking Rule?

A healthcare provider, as 42 U.S.C. 300jj defines, is a "hospital; skilled nursing facility; nursing facility; home health entity or other long term care facility; health care clinic; community mental health center; renal dialysis facility; blood center; ambulatory surgical center; emergency medical services provider; federally qualified health center; group practice; pharmacist; pharmacy; laboratory; physician; practitioner; provider operated by or under contract with the Indian Health Service or by an Indian tribe, tribal organization, or urban Indian organization; rural health clinic; covered entity under 42 U.S.C. 256b; ambulatory surgical center; therapist; and any other category of health care facility, entity, practitioner, or clinician determined appropriate by the HHS Secretary."

What exactly is Information Blocking?

It is imperative to review the definition of Information Blocking as it pertains to healthcare providers in 45 CFR §171.103(a)(3).

Information blocking means a practice that, if conducted by a health care provider, such provider knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.

Are there exceptions to Information Blocking?

ONC defines eight exceptions where practices will not be considered information blocking, outlined in Subparts B and C. The following two categories break-down the exceptions.

Exceptions that involve not fulfilling requests to access, exchange, or use, such as:

• Preventing Harm Exception
• Privacy Exception
• Security Exception
• Infeasibility Exception
• Health IT Performance Exception

Exceptions that involve procedures for fulfilling requests to access, exchange, or use, such as:

• Content and Manner Exception
• Fees Exception
• Licensing Exception

What health information does the Information Blocking Rule include?

Until May 2, 2022, electronic health information is limited to the electronic health information identified by the data elements represented in the United States Core Data for Interoperability (USCDI) standard adopted in 45 CFR §170.213. USCDI v1 Summary of Data Classes includes allergies and intolerances, assessment and plan of treatment, care team members, clinic notes, goals, health concerns, immunizations, laboratory, medications, patient demographics, problems, procedures, provenance, smoking status, unique device IDs for implantable devices and vital signs. The ONC published a paper with a deeper dive into these data classes. After May 2, 2022, the standard narrows to ePHI in a Designated Record Set, excluding Psychotherapy Notes and information gathered for use in a civil, criminal, or administrative action.

What are the penalties and enforcement of the CMS Interoperability and Patient Access final rule?

The CMS final rule establishes a new Condition of Participation (CoP) for all Medicare and Medicaid participating hospitals. It requires them to send electronic notifications to another healthcare facility, or community provider or practitioner when a patient is admitted, discharged, or transferred to their primary care practitioners or other practitioners primarily responsible for their care. CMS changed the text of the final rule to state that the CoP will now be effective on May 1, 2021. The CMS final rule also requires Medicare Advantage plans, Medicaid state agencies, Medicaid managed care plans, CHIP agencies, CHIP managed care entities, and issuers of qualified health plans on federally-facilitated exchanges (Covered Plans and Agencies) to implement APIs that allow patient information to be shared more readily. CMS announced it would exercise enforcement discretion for a period of six months until July 1, 2021. For healthcare providers, enforcement is primarily from CMS and HHS based on attestations that you are not information blocking that are part of the CMS incentive programs MIPS or the Promoting Interoperability Programs (formerly known as Meaningful Use).  There are penalties for false attestation.

What do Healthcare Providers need to do?

These are just a few items to help you get started evaluating your compliance and creating an action plan.

• Establish a committee to review the requirements and develop an action plan. The committee should include your compliance staff.
• Review access policies and revise to meet the expectations of ONC’s final rule.
• Develop a process for evaluating access against the eight exceptions. Because the burden of proof falls on the healthcare provider, the process should include documentation retained for future reference.
• Train staff on any policy changes.
• Identify EMR system limitations and understand what your EMR vendors are doing to respond to these requirements.

Do you need assistance evaluating your compliance and creating an action plan? Contact us today and request to speak directly with DeAnn Tucker MHA, RHIA, CHPS, Senior Manager at Coker Group.